Executive Summary
CVE-2026-15282 is a critical (CVSS 9.8) arbitrary file upload vulnerability affecting the Instant Appointment plugin for WordPress. All versions up to and including 1.2 are affected. The flaw is exploitable by completely unauthenticated attackers and can lead directly to remote code execution on the hosting server.
Vulnerability Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-15282 |
| CVSS Score | 9.8 (Critical) |
| Plugin | Instant Appointment |
| Affected Versions | All versions ≤ 1.2 |
| Vulnerability Type | Arbitrary File Upload |
| Authentication Required | None (unauthenticated) |
| Published | July 10, 2026 |
Technical Analysis
The vulnerability resides in the insapp_upload_image_as_attachment function within the Instant Appointment plugin. The root causes are:
- Missing file type validation — The function accepts file uploads without validating or restricting MIME types or file extensions. An attacker can supply any file, including server-side scripts.
- No authentication or capability check — The upload function is accessible without a valid WordPress session, nonce, or capability check, meaning any unauthenticated visitor can trigger it.
The attack flow is straightforward: an attacker submits a crafted HTTP request containing a malicious PHP file. If the file lands in a web-accessible directory, the attacker can request it via URL to achieve remote code execution.
This class of vulnerability (unauthenticated unrestricted file upload) is consistently among the highest-impact WordPress plugin flaws, as it provides a direct path to full server compromise.
Impact
- Remote Code Execution — uploading a PHP webshell grants command execution as the web server user
- Persistent backdoor access — the uploaded file remains after the initial attack
- Lateral movement — in shared hosting, may affect co-hosted sites
- Data breach — database credentials in
wp-config.phpaccessible to the RCE session - Ransomware staging — server can be used to download and execute further payloads
Affected Versions
| Plugin | Versions Affected |
|---|---|
| Instant Appointment | ≤ 1.2 |
Remediation
- Update the plugin to a version above 1.2 as soon as a patch is released. If no patch is available, deactivate and delete the plugin immediately.
wp plugin deactivate instant-appointment wp plugin delete instant-appointment - Scan for uploaded files — audit
wp-content/uploads/for PHP or other executable files uploaded recently. - Review access logs — look for POST requests matching the upload endpoint with unexpected content types.
- Deploy a WAF rule to block PHP/PHTML uploads if the site cannot be patched immediately.
- Rotate database credentials if any suspicious file access is identified.
Indicators of Compromise
- POST requests to the WordPress upload endpoint with
.php,.phtml,.pharpayloads - New PHP files in
wp-content/uploads/with timestamps matching attack window - Unexpected outbound web requests from the web server process
- Evidence of
wp-config.phpaccess from non-administrative sessions